PIX-to-PIX: How to redirect incoming traffic over VPN

Posted on 2006-03-25
Last Modified: 2013-11-16
Greetings security professionals.

I have two locations, A and B.
There is a PIX515E (OS 7.1) at each location.
They are linked by a working VPN tunnel.
A's inside address space is
B's inside address space is

A has a /24 external (globally routable) address space.
I want to be able to take one of those external addresses on the A-side PIX515E and NAT/"redirect" it over the VPN tunnel to one of B's inside addresses.

For example: -> is an external address on A-side. is an inside address on B-side.

I've tried various attempts over the last two days without success. Is this even possible? Any help greatly appreciated.
My current working config is pasted below (routable addresses obscured).


: Saved
PIX Version 7.1(2)
hostname pix
enable password * encrypted
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 no nameif    
 no security-level
 no ip address
passwd * encrypted
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit intra-interface
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 106 extended permit ip
access-list 107 extended permit ip any
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 107
nat (inside) 1
static (inside,outside) netmask
static (inside,outside) netmask
access-group 101 in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map map1 10 match address 106
crypto map map1 10 set peer
crypto map map1 10 set transform-set myset
crypto map map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group type ipsec-l2l
tunnel-group general-attributes
tunnel-group ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 60
console timeout 0
: end
Question by:lodcomm
    LVL 32

    Expert Comment

    I'm not sure if this is even do-able but I've not worked on 7.0 yet. But just curious, why do you want to do it ? I mean on the other side (B Side) pix, don't you have a public address and redirect it there through a static statement ?

    I mean or else you could even do a port redirection, in case if you don't have a static sparable address at B side.


    Author Comment


    The reason I want to do this is simple. I need to temporarily redirect all IP traffic from one physical location to another, and it cannot be done with DNS changes.

    LVL 79

    Accepted Solution

    I'm afraid that this is not even possible with PIX. Not even with 7.x
    Absolutely impossible with 6.x for sure

    You want to nat a public IP on site A to a private IP on site B, over the VPN tunnel.

    Just as an aside, acl 107 should not reference "any"
    >access-list 107 extended permit ip any

    It can only be from inside to remote:
    >access-list 107 extended permit ip

    And therin lies the primary issue.
    With a pix, you can't take a source address from "any" public IP, static NAT to a private IP that is accessible only via a direct VPN tunnel to another location. It just can't happen....
    The default gateway on the remote site must be its own local PIX, and that PIX has a default gateway for "any" to its local ISP, not across the VPN tunnel to respond directly out the "other" PIX..

    LVL 25

    Expert Comment

    lrmoore, are you sure about not with 7.x
    In 7.x they allow for intra-interface traffic.  I haven't tried it on 7.x, but will for the hell of it to check.  6.x won't though.  However, wouldn't a downfall of the needed configuration(since you are trying to use "any") be that all traffic from either the B network or that host on B have to be routed through the VPN to the A network and then out?

    Until 7.x, traffic in PIXs were not allowed to travel between interfaces of the same security level (which of course included going in and out the same interface).  However, I have to agree with lrmoore on this one, its either not feasible or possible.

    What I would try is do a static to a host on A, then have that host do a translation to the host on B and forward that packet on so that the host on B thinks the request came from the host on A.  How you'd do that could be difficult depending upon the A host you use.  This way the site-to-site VPN config doesn't need any changing and everything should route fine, provided the A host is properly configured to mangle the IP packet to source nat the packet to itself.

    Or am I just wishful thinking that this would work?

    Author Comment

    lrmoore, Cyclops3590  --

    Thanks for your comments.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now